Incident Management

PROCESS APPLIES TO

Follow this process when a privacy or security incident occurs.

Information Security Incident: An event that affects P&G information and/or systems and violates the law and/or Company policy/standards. These events may transpire within P&G systems or properties or within its designated third party vendor systems or properties that manage P&G data and/or systems (e.g., the P&G shareholder database). An Information Security Incident has or could compromise the confidentiality, integrity and/or availability of P&G information or operations and may be caused by P&G personnel and/or third party actors through intentional or unintentional means.

Privacy Incident: a type of Information Security Incident caused by any actual or probable unauthorized access to Personally Identifiable Information (PI), such as:

Internal exposure of PII to the wrong individuals.

External exposure of PII to the wrong individuals or to the public.

Data corruption that merges individuals’ PII.

Loss of hardware — computers, thumb drives, CDs, etc.

Unauthorized access to PII - hacking/theft/abuse.

WHAT TO DO WHEN YOU BECOME AWARE OF AN INFORMATION SECURITY OR PRIVACY INCIDENT

Immediately inform the P&G incident experts by emailing incident details to securityincident.im@pg.com . Include the following information, if available:

Cause of incident or potential disclosure and if the cause has been contained or remediated